For a customer PoC I have a pair of ISE installed and have added several network devices (e.g Cisco, Arista, F5, Aruba, and HP) for device administration where some are administrated viaTACACS+ and some over RADIUS. The goal here is to replace an old ACS system and an old RADIUS Server (FREE-RADIUS).

My particular issue is currently the HP switches. I have set up all necessary attributes and settings on the ISE, like for the other vendors. But on the HP I not getting any success. 

On the ISE I see the authentication, authorization steps with full success, but the switch tells me permission denied, which is wired. On the old RADIUS system (FREE_RADIUS), my customer is using the Cisco attributes for all HP switches and it works fine there.

I found out if I'm leaving out the "aaa authentication login privilege-mode"  command, the given attributes on the ISE seems to work. But I will have to authenticate one time for the level 0  and then again for the enable mode level 15  which I want to avoid and is not used on my customer's environment. 

Here an extract of the switch configuration:

radius-server host xx.xx.xxx.xx key xxxxxxxxx acct-port 1646 auth-port 1645
radius-server host xx.xx.xx.xx key xxxxxxxxxx acct-port 1646 auth-port 1645

aaa accounting update periodic 1
aaa authentication login privilege-mode
aaa authentication console login radius local
aaa authentication console enable radius local
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local

Attributes I have used and tried: